International Journal of Mathematical Analysis Vol. 8, 2014, no. 51, 2531-2537 HIKARI Ltd, www.m-hikari.com http://dx.doi.org/10.12988/ijma.2014.410298 Robust EC-PAKA Protocol for Wireless Mobile Networks Eun-Jun Yoon 1 Department of Cyber Security, Kyungil University Kyungsangpuk-Do 712-701, Republic of Korea Copyright c 2014 Eun-Jun Yoon. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. Abstract This paper proposes a new authentication key agreement protocol based on elliptic curve for wireless mobile networks that provides secure mutual authentication and key agreement with key confirmation. The proposed protocol achieves many of desirable security requirements and performances compared with the related key agreement protocols. Keywords: Key agreement; Authentication; Wireless mobile networks; Elliptic curve cryptography 1 Introduction Due to limitations in power consumption, bandwidth and computation, an authentication key agreement protocol based on elliptic curve cryptography [1, 2] can be used in the wireless mobile networks. In 2005, Sui et al. [3] proposed an elliptic curve based password authenticated key agreement (in short, EC-PAKA) protocol. In 2007, Lu et al. [4] proposed an enhanced EC-PAKA protocol to against the off-line password guessing attack. In 2008, Chang- Chang [5] pointed out that Lu et al.. s enhanced EC-PAKA protocol cannot withstand the parallel guessing attack and then proposed security improvements on the Lu et al. s EC-PAKA protocol for wireless mobile networks. In 1 Corresponding author: Eun-Jun Yoon, Fax: +82-53-600-5579
2532 Eun-Jun Yoon 2012, Ahn-Yoon [6], however, showed that Chang-Chang s enhanced protocol is still vulnerable to off-line password guessing attacks. To avoid the weakness existing in Chang-Chang s enhanced protocol, this paper proposes a robust password authenticated key agreement protocol based on elliptic curve (in short, REC-PAKA) for wireless mobile networks. The proposed REC-PAKA protocol achieves many of desirable security requirements and performances compared with the related EC-PAKA protocols. The rest of this article is organized as follows. The proposed REC-PAKA protocol is given in Section 2. Next, the security of the proposed REC-PAKA protocol is analyzed in Section 3. Finally, section 4 makes concluding remarks. 2 Proposed REC-PAKA protocol This section proposes the REC-PAKA protocol for wireless mobile networks. The following notations are used throughout this paper. Alice(A), Bob(B): Two communication users; E: An elliptic curve defined over a finite field A with large group order; n: A secure large prime number; P : A point in E with large order n; D: A uniformly distributed dictionary of size D ; S: A low-entropy password shared between Alice and Bob, which is randomly chosen from D; t: The value t is derived from the password S in a predetermined way, which is uniformly distributed in Z n; H( ): A secure one-way hash function; : Concatenation of messages; Fig. 1 depicts the proposed REC-PAKA protocol, which works as follows: Step 1. A B: {A, Q A1, Q A2 } A first chooses a random number d A [1, n 1], and then computes the followings: Q A1 = (d A + t)p (1) Q A2 = d 2 AP (2) Finally, A sends the message {A, Q A1, Q A2 } to B.
Robust EC-PAKA protocol for wireless mobile networks 2533 Alice (A) Bob (B) (S, t) (S, t) Choose random d A [1, n 1] Compute Q A1 = (d A + t)p Compute Q A2 = d 2 A P {A, Q A1, Q A2} Choose random d B1, d B2 [1, n 1] Compute Y = Q A1 tp = d A P Compute Q B1 = d B1 P + d B2 Y Compute K B = d B1 Y + d B2 Q A2 Compute H B = H(A B Q A1 Q A2 Q B1 K B ) {B, H B, Q B1 } Compute K A = d A Q B1 = d B1 d A P + d B2 d 2 A P Verify H(A B Q A1 Q B1 K A )? = H B Compute H A = H(B A Q B1 Q A1 Q A2 K A ) {A, H A } Verify H(B A Q B1 Q A1 Q A2 K B )? = H A Session key sk = H(K A ) = H(K B ) Figure 1: Proposed REC-PAKA protocol for wireless mobile networks Step 2. B A: {B, H B, Q B1 } Upon receiving the message {A, Q A1, Q A2 }, B also chooses two random numbers d B1, d B2 [1, n 1], and then computes the followings: Y = Q A1 tp = d A P (3) Q B1 = d B1 P + d B2 Y (4) K B = d B1 Y + d B2 Q A2 (5) H B = H(A B Q A1 Q A2 Q B1 K B ) (6) Finally, B sends {B, H B, Q B1 } and to A. Step 3. A B: {A, H A } Upon receiving the message {B, H B, Q B1 }, A computes K A = d A Q B1 = d B1 d A P + d B2 d 2 AP (7)
2534 Eun-Jun Yoon and then checks whether the equality H(A B Q A1 Q A2 Q B1 K A ) =? H B (8) holds or not. If it holds, A computes and sends H A = H(B A Q B1 Q A1 Q A2 d A P ) (9) to B. Step 4. Upon receiving the message {A, H A }, B checks whether the equality holds or not. H(B A Q B1 Q A1 Q A2 K B )? = H A (10) Finally, A and B agree on the common session key sk = H(K A ) = H(K B ). Both sides will agree on the session key sk if all communication steps are executed correctly. Once the REC-PAKA protocol run completes successfully, both parties may use sk to encrypt their subsequent session traffic in order to create a confidential communication channel. 3 Security Analysis This section analyzes the security of the proposed REC-PAKA protocol. 3.1 Replay attack Suppose an attacker Eve intercepts {A, Q A1, Q A2 } from Alice in Step 1 and replays it to impersonate Alice. However, Eve cannot compute a correct session key K A and deliver it to Bob in Step 3 unless he/she can correctly guess the secret value t to obtain d A P and guess the right d B1 and d B2 from Q B1. When Eve tries to guess d A from d A P or d B1 and d B2 from Q B1, he/she will face the Elliptic Curve Discrete Logarithm Problem(ECDLP). On the other hand, suppose Eve intercepts {B, H B, Q B1 } from Bob in Step 2 and replays it to impersonate Bob. For the same reason, if Eve cannot gain the correct d A from Q A1, Alice will find out that H B is not equivalent to his/her computed hash value. Then, Bob will not send {A, H A } back to Eve in Step 3. Therefore, the proposed REC-PAKA protocol can withstand the replay attack.
Robust EC-PAKA protocol for wireless mobile networks 2535 3.2 Password guessing attacks An on-line password guessing attack cannot succeed since Bob can choose appropriate trail intervals. On the other hand, in an off-line password guessing attack, Eve can try to find out a weak password by repeatedly guessing possible passwords and verifying the correctness of the guesses based on information obtained in an off-line manner. In the proposed REC-PAKA protocol, Eve can gain the knowledge of Q A1 = (d A + t)p, Q B1 = d B1 P + d B2 Y, H B and H A in Steps 1, 2, and 3, respectively. To obtain the password S (or t) of Alice, Eve first guesses password S (or t ) and then finds d A P = Q A1 t P. By using d A P and Q B1, Eve will try to compute the session key sk = H(K A ) = H(K B ). However, Eve has to break the Elliptic Curve Discrete Logarithm Problem and Elliptic Curve Diffie-Hellman Problem to find the keying material sk from d A P and Q B1 to verify his/her guess. But, Eve cannot gain the session key without d A of d A P and d B1 (or d B2 ) of Q B1. Therefore, the proposed REC-PAKA protocol can withstand the password guessing attacks. 3.3 Forgery attack Without knowing the secret value t, Eve cannot make the forged message {A, Q A1, Q A2 } to cheat Bob. Without knowing the session key K B, Eve cannot make the forged message {B, H B, Q B1 } to cheat Alice. Without knowing the session key K A, Eve cannot make the forged message {A, H A } to cheat Alice. Therefore, the proposed REC-PAKA protocol can withstand the forgery attack. 3.4 Known-key security In view of the randomness of d A, d B1, and d B2 in the proposed REC-PAKA protocol, session keys in different key agreements are independent.. Thus, the knowledge of previous session keys does not help Eve to obtain any future session keys. Hence, the proposed REC-PAKA has the property of known-key security. 3.5 Perfect forward secrecy Perfect forward secrecy means that if long-term private keys of one or more entities are compromised, the secrecy of previous session keys established by honest entities is not affected. If the user s password S is compromised, it does not allow an attacker Eve to determine the session key sk for past sessions and decrypt them, since Eve is still faced with the Elliptic Curve Diffie-Hellman Problem(ECDHP). Hence, the proposed ERC-PAKA has the property of perfect forward secrecy.
2536 Eun-Jun Yoon 3.6 Mutual authentication Mutual authentication means that both the user and server are authenticated to each other within the same protocol, while explicit key authentication is the property obtained when both implicit key authentication and key confirmation hold. As such, the proposed scheme uses the Elliptic Curve Diffie-Hellman key exchange algorithm to provide mutual authentication, then the key is explicitly authenticated by a mutual confirmation fresh session key K A (or K B ). Hence, the proposed REC-PAKA provides mutual authentication. 4 Conclusions This paper proposed a robust password authenticated key agreement protocol based on elliptic curve for wireless mobile networks that provides secure mutual authentication and key agreement with key confirmation. The proposed REC-PAKA protocol achieves many of desirable security requirements and performances. As a result, the proposed REC-PAKA protocol provides more security which can be executed securely than other previously proposed related protocols. Acknowledgements This work was supported by Basic Science Research Program through the National Research Foundation of Korea(NRF) funded by the Ministry of Education, Science and Technology(No. 2010-0010106). References [1] N. Koblitz, Elliptic curve cryptosystems, Mathematics of Computation, 48 (1987), 203-209. http://dx.doi.org/10.2307/2007884 [2] V. S. Miller, Use of elliptic curves in cryptography, Proceedings of Advances in Cryptology Crypto 85, 128 (1985), 417-426,. [3] A. Sui, L. Hui, S. Yiu, K. Chow, W. Tsang, C. Chong, K. Pun, H. Chan, An improved authenticated key agreement protocol with perfect forward secrecy for wireless mobile communication, IEEE Wireless Communications and Networking Conference (WCNC 2005), (2005), 2088-2093, 2005. http://dx.doi.org/10.1109/wcnc.2005.1424840
Robust EC-PAKA protocol for wireless mobile networks 2537 [4] R. Lu, Z. Cao, H. Zhu, An enhance authentication key agreement protocol for wireless mobile communication, Computer Standards and Interfaces, 29, (2007), 647-652. http://dx.doi.org/10.1016/j.csi.2007.04.002 [5] C. Chang, S. Chang, An improved authentication key agreement protocol based on elliptic curve for wireless mobile networks, International Conference on IEEE Intelligent Information Hiding and Multimedia Signal Processing, 1 (2008), 1375-1378. http://dx.doi.org/10.1109/iih-msp.2008.14 [6] H.S. Ahn, E.J. Yoon, Cryptanalysis of Chang-Chang s EC-PAKA protocol for wireless mobile networks, World Academy of Science, Engineering & Technology, 68(1) (2012), 33-35. Received: October 8, 2014; Published: November 20, 2014